The release of two new top-level domains (TLDs) by Google Registry has sparked controversy among members of the information security (infosec) community as they are concerned about how the domains could be used by malicious actors.
On May 3, Google Registry announced the general availability of several new TLDs, including .dad, .nexus, .zip and .mov. Infosec practitioners immediately flagged .zip and .mov as potential cybersecurity issues because they are common file extensions.
The Internet Corporation for Assigned Names and Numbers (ICANN) governs TLDs but delegates some authority to specific organizations, Google being one of them. ICANN program allows brands to register their own trademark as a generic TLD (gTLD), such as .google. Google applied for dozens of gTLDs in 2014, with .zip being one of them. As of May 17, 2023, 5,000 .zip domains had already been registered. Some infosec researchers bought these domains to educate end users or to sit on potentially popular URLs. One example is bank-statement[.]zip, which warns users about the dangers of the .zip TLD.
Since Google’s announcement, many information security experts have voiced concern that the TLDs could be used to trick end users into visiting malicious websites. Sites, messaging platforms, and other applications can now automatically convert file names with .zip into URLs, which could lead to users clicking them and visiting phishing sites that infect them with malware.
For instance, malicious actors could send phishing emails with an attachment that says, “I’ve attached pictures[.]zip.” Recipients could click the automatically created link thinking they would be downloading the file via the link, and not being sent to a website. Alternatively, because recipients believe the link was sent by someone they trust, they may go to the URL and be infected by malware—provided an attacker is squatting on the domain.
Threat intelligence vendor Silent Push Labs discovered two potential phishing .zip TLDs designed to look like Microsoft Office sign-in pages. They reported a Microsoft phishing page abusing the new .zip top-level domain.
Phishing for credentials is a major concern, but Ines Vestia, senior threat analyst at Silent Push Labs, said the bigger worry is malware. “I wouldn’t see credential phishing as the main threat,” Vestia said. “I would definitely see the main threat being malware downloads. That’s why .zip is problematic. It is associated with large files that have been compressed. If the threat actor combines this with popular software download naming conventions, the results will be quite devastating.”
However, not everyone is worried that end users will click on .zip URLs. Given that .zip is generally for file downloads, which are already a malware concern, smarter end users may not click those URLs without researching to determine if they’re safe. Moreover, .com is an executable file used in MS-DOS and Windows.
Eric Lawrence, principal software engineer at Microsoft, wrote in his blog that squatting on URLs like VacationPhotos[.]zip and hoping someone sends emails mentioning the file extension isn’t very exciting as an attack vector. “I remain unconvinced that normal humans type file name extensions in most forms of communication,” Lawrence wrote. Still, he conceded that it might be best not to automatically hyperlink .zip TLDs to reduce the chances of this attack vector.
As with any potentially malicious TLD, the easiest way to prevent issues is to block suspicious domains from resolving. This can be done in a few ways. Security teams could create a Windows Firewall policy to block .zip and any other TLDs the organization doesn’t use. Another method is to use Name Resolution Policy Table rules in Windows Server 2012. Specific TLDs can also be blocked in Outlook via the blocked senders setting.
Blocking .zip and .mov has mainly been recommended by many in the infosec community—for now. Johannes Ullrich, dean of research at SANS Technology Institute, wrote, “Given the low ‘real world’ usage of .zip domains, it may be best to block access to them until it is clear if it will be useful.”
In summary, the release of two new TLDs has generated controversial opinions because of their potential of being used by attackers to execute cyber attacks such as phishing and malware downloads. Though it is advised to be cautious and vigilant, it is essential to avoid general panic and wait until more is discovered to mitigate the threats that these TLDs pose.